From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 1 Dec 2016 19:34:35 -0500 Subject: [refpolicy] [PATCH v4] Apache OpenOffice module In-Reply-To: <1480506047.4743.15.camel@trentalancia.net> References: <1480113700.5692.4.camel@trentalancia.net> <848bd66a-ead2-97e3-b952-265ab5d8c903@ieee.org> <1480506047.4743.15.camel@trentalancia.net> Message-ID: <129294c5-fc05-bd28-74b0-87e9bc3c2ef8@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/30/16 06:40, Guido Trentalancia via refpolicy wrote: > This is a minimal patch that I am testing to support Apache OpenOffice > with its own module. > > The file contexts (and initial tests) are based on the default > installation path for version 4 of the office suite. > > It includes revisions from Dominick Grift. > > Since the third version it should correctly manage files in home > directories and allow some other major functionality. > > The fourth version of the patch introduces a boolean to enable or > disable software updates from the network (application and/or > extensions). I'm ok merging this, but it will have to be split into separate base and contrib patches. > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/openoffice.fc | 30 +++++++++ > policy/modules/contrib/openoffice.if | 48 +++++++++++++++ > policy/modules/contrib/openoffice.te | 107 +++++++++++++++++++++++++++++++++++ > policy/modules/roles/staff.te | 4 + > policy/modules/roles/sysadm.te | 4 + > policy/modules/roles/unprivuser.te | 4 + > policy/modules/services/xserver.if | 19 ++++++ > policy/modules/system/libraries.fc | 2 > 8 files changed, 218 insertions(+) > > diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc refpolicy-git-25112016/policy/modules/contrib/openoffice.fc > --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.fc 1970-01-01 01:00:00.000000000 +0100 > +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.fc 2016-11-26 15:05:58.006638672 +0100 > @@ -0,0 +1,30 @@ > +HOME_DIR/\.openoffice(/.*)? gen_context(system_u:object_r:ooffice_home_t,s0) > + > +/opt/openoffice4/program/cde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/gnome-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/gnome-open-url\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/javaldx -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/kde-open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/open-url -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/pagein -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/regcomp\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/regmerge -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/regview -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/sbase -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/scalc -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/sdraw -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/senddoc -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/simpress -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/smath -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/soffice -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/soffice\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/spadmin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/spadmin\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/startup\.sh -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/swriter -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/uno\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/unoinfo -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/unopkg -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/unopkg\.bin -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/unpack_update -- gen_context(system_u:object_r:ooffice_exec_t,s0) > +/opt/openoffice4/program/uri-encode -- gen_context(system_u:object_r:ooffice_exec_t,s0) > diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if refpolicy-git-25112016/policy/modules/contrib/openoffice.if > --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.if 1970-01-01 01:00:00.000000000 +0100 > +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.if 2016-11-26 15:03:47.654293949 +0100 > @@ -0,0 +1,48 @@ > +## Openoffice suite. > + > +############################################################ > +## > +## Role access for openoffice. > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +## > +## User domain for the role. > +## > +## > +# > +interface(`ooffice_role',` > + gen_require(` > + attribute_role ooffice_roles; > + type ooffice_t, ooffice_exec_t; > + ') > + > + roleattribute $1 ooffice_roles; > + > + domtrans_pattern($2, ooffice_exec_t, ooffice_t) > + > + allow $2 ooffice_t:process { ptrace signal_perms }; > + ps_process_pattern($2, ooffice_t) > +') > + > +######################################## > +## > +## Run openoffice in its own domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`ooffice_domtrans',` > + gen_require(` > + type ooffice_t, ooffice_exec_t; > + ') > + > + domtrans_pattern($1, ooffice_exec_t, ooffice_t) > +') > diff -pruN refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te refpolicy-git-25112016/policy/modules/contrib/openoffice.te > --- refpolicy-git-25112016-orig/policy/modules/contrib/openoffice.te 1970-01-01 01:00:00.000000000 +0100 > +++ refpolicy-git-25112016/policy/modules/contrib/openoffice.te 2016-11-30 12:26:43.119275241 +0100 > @@ -0,0 +1,107 @@ > +policy_module(openoffice, 1.0.0) > + > +############################## > +# > +# Declarations > +# > + > +## > +##

> +## Determine whether openoffice can > +## download software updates from the > +## network (application and/or > +## extensions). > +##

> +## > +gen_tunable(openoffice_allow_update, true) > + > +attribute_role ooffice_roles; > + > +type ooffice_t; > +type ooffice_exec_t; > +userdom_user_application_domain(ooffice_t, ooffice_exec_t) > +role ooffice_roles types ooffice_t; > + > +type ooffice_home_t; > +userdom_user_home_content(ooffice_home_t) > + > +type ooffice_tmp_t; > +files_tmp_file(ooffice_tmp_t) > + > +############################## > +# > +# Openoffice local policy > +# > + > +allow ooffice_t self:process { execmem getsched signal }; > +allow ooffice_t self:shm create_shm_perms; > +allow ooffice_t self:fifo_file rw_fifo_file_perms; > +allow ooffice_t self:unix_stream_socket connectto; > + > +allow ooffice_t ooffice_home_t:dir manage_dir_perms; > +allow ooffice_t ooffice_home_t:file manage_file_perms; > +allow ooffice_t ooffice_home_t:lnk_file manage_lnk_file_perms; > +userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice") > + > +manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) > +manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) > +manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) > +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file }) > + > +can_exec(ooffice_t, ooffice_exec_t) > + > +corecmd_exec_bin(ooffice_t) > +corecmd_exec_shell(ooffice_t) > + > +dev_read_sysfs(ooffice_t) > +dev_read_urand(ooffice_t) > + > +files_getattr_all_dirs(ooffice_t) > +files_getattr_all_files(ooffice_t) > +files_getattr_all_symlinks(ooffice_t) > +files_read_etc_files(ooffice_t) > +files_read_usr_files(ooffice_t) > + > +fs_getattr_xattr_fs(ooffice_t) > + > +miscfiles_read_fonts(ooffice_t) > +miscfiles_read_localization(ooffice_t) > + > +sysnet_dns_name_resolve(ooffice_t) > + > +userdom_manage_user_home_content_dirs(ooffice_t) > +userdom_manage_user_home_content_files(ooffice_t) > +userdom_manage_user_home_content_symlinks(ooffice_t) > +userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file }) > + > +tunable_policy(`openoffice_allow_update',` > + corenet_tcp_connect_http_port(ooffice_t) > +') > + > +optional_policy(` > + cups_read_config(ooffice_t) > + cups_stream_connect(ooffice_t) > +') > + > +optional_policy(` > + dbus_all_session_bus_client(ooffice_t) > +') > + > +optional_policy(` > + hostname_exec(ooffice_t) > +') > + > +optional_policy(` > + java_exec(ooffice_t) > +') > + > +optional_policy(` > + mozilla_domtrans(ooffice_t) > +') > + > +optional_policy(` > + xserver_read_user_iceauth(ooffice_t) > + xserver_read_user_xauth(ooffice_t) > + xserver_read_xdm_tmp_files(ooffice_t) > + xserver_stream_connect(ooffice_t) > +') > diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/staff.te refpolicy-git-25112016/policy/modules/roles/staff.te > --- refpolicy-git-25112016-orig/policy/modules/roles/staff.te 2016-10-29 16:29:13.453156183 +0200 > +++ refpolicy-git-25112016/policy/modules/roles/staff.te 2016-11-26 15:03:47.656293970 +0100 > @@ -141,6 +141,10 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > + ooffice_role(staff_r, staff_t) > + ') > + > + optional_policy(` > pyzor_role(staff_r, staff_t) > ') > > diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te refpolicy-git-25112016/policy/modules/roles/sysadm.te > --- refpolicy-git-25112016-orig/policy/modules/roles/sysadm.te 2016-10-29 16:29:13.454156211 +0200 > +++ refpolicy-git-25112016/policy/modules/roles/sysadm.te 2016-11-26 15:03:47.657293980 +0100 > @@ -721,6 +721,10 @@ optional_policy(` > ') > > optional_policy(` > + ooffice_role(sysadm_r, sysadm_t) > +') > + > +optional_policy(` > openct_admin(sysadm_t, sysadm_r) > ') > > diff -pruN refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te refpolicy-git-25112016/policy/modules/roles/unprivuser.te > --- refpolicy-git-25112016-orig/policy/modules/roles/unprivuser.te 2016-10-29 16:29:13.454156211 +0200 > +++ refpolicy-git-25112016/policy/modules/roles/unprivuser.te 2016-11-26 15:03:47.658293990 +0100 > @@ -114,6 +114,10 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > + ooffice_role(user_r, user_t) > + ') > + > + optional_policy(` > postgresql_role(user_r, user_t) > ') > > diff -pruN refpolicy-git-25112016-orig/policy/modules/services/xserver.if refpolicy-git-25112016/policy/modules/services/xserver.if > --- refpolicy-git-25112016-orig/policy/modules/services/xserver.if 2016-08-14 22:10:42.752848860 +0200 > +++ refpolicy-git-25112016/policy/modules/services/xserver.if 2016-11-26 15:03:47.658293990 +0100 > @@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',` > > ######################################## > ## > +## Read all users .ICEauthority. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_read_user_iceauth',` > + gen_require(` > + type iceauth_home_t; > + ') > + > + allow $1 iceauth_home_t:file read_file_perms; > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > ## Set the attributes of the X windows console named pipes. > ## > ## > diff -pruN refpolicy-git-25112016-orig/policy/modules/system/libraries.fc refpolicy-git-25112016/policy/modules/system/libraries.fc > --- refpolicy-git-25112016-orig/policy/modules/system/libraries.fc 2016-08-14 21:24:48.961382244 +0200 > +++ refpolicy-git-25112016/policy/modules/system/libraries.fc 2016-11-26 15:03:47.659294001 +0100 > @@ -52,6 +52,8 @@ ifdef(`distro_redhat',` > /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) > /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) > > +/opt/openoffice4/program/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) > + > /opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) > # despite the extensions, they are actually libs > /opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito